File: transparent.html

package info (click to toggle)
clamsmtp 1.10-17
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster
  • size: 1,388 kB
  • sloc: sh: 3,940; ansic: 3,286; makefile: 21
file content (109 lines) | stat: -rw-r--r-- 4,284 bytes parent folder | download | duplicates (10) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
 
<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>ClamSMTP: Transparent Proxying</title>
<link rel="stylesheet" type="text/css" href="../../style.css">
</head>

<body bgcolor="#FFFFFF">
<h1>ClamSMTP: Transparent Proxying</h1>

<p>A transparent proxy is when you grab a certain type of traffic at your 
gateway or router and send it through a proxy without the knowledge of the 
user or client. Here's a simple description of how to use ClamSMTP 
as a transparent proxy to do virus checking on SMTP traffic going in or out 
of your network.</p>

<p>You should already be familiar with routing and network administration. 
Those topics are not touched on here.</p>

<p>Note that certain features of SMTP are disabled when going through 
<tt>clamsmtpd</tt>, most notably SSL/TLS. Authentication does however 
work. Transparent proxying has only been tested in recent versions of 
FreeBSD (using ipfw) and Linux (using iptables).</p>

<p>This setup assumes the <tt>clamsmtpd</tt> proxy is running on the same 
machine as the gateway. Running it on a different machine is possible, but 
more complicated to setup.</p>

<h2>ClamSMTP Setup</h2>

<ul>
    <li>Make sure you're using ClamSMTP version 0.8 or later.</li>
    <li>Enable the <tt>TransparentProxy</tt> option in the config file.
        The <tt>OutAddress</tt> should be removed as the out address will
        be determined by the original destination of the SMTP connection.</li>
    <li>Be sure you have enough connections to support all the anticipated
        SMTP traffic. Use the <tt>MaxConnections</tt> option to adjust this.</li>
    <li>The examples below assume <tt>clamsmtpd</tt> is listening on the 
        default port of <tt>10025</tt>.</li>
    <li>Make sure <tt>clamd</tt> (the ClamAV daemon) is running, and its 
        listening on the socket you specified. You can set this in 
        <tt>clamav.conf</tt> using the <tt>LocalSocket</tt> or 
        <tt>TCPSocket</tt> directives (only uncomment one). Also make sure 
        the <tt>ScanMail</tt> directive is on.</li>
    <li>As usual, make sure to start <tt>clamsmtpd</tt> as the same user you
        run <tt>clamd</tt>, usually it's called <tt>clamav</tt>.
</ul>

<h2>FreeBSD</h2>

<p>Your kernel needs support for ipfw. You can either load this as a kernel 
module by executing the following:</p>

<pre># kldload ipfw.ko</pre>

<p>Or you can build it into your kernel by adding the following lines to 
your kernel config file. See the 
<a href="http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html">FreeBSD Handbook</a> for info on how to build a kernel. Make sure to install and 
reboot with the new kernel before proceeding.</p>

<pre>IPFIREWALL
IPFIREWALL_FORWARD</pre>

<p>Make sure IP forwarding (routing) is turned on. It probably already is
as transparent proxying happens on a router.</p>

<p>Run the following command. It adds a line to your firewall to route 
traffic to <tt>clamsmtpd</tt>.</p>

<pre># ipfw add 100 fwd 127.0.0.1,10025 tcp from not me to any 25</pre>

<h2>Linux</h2>

<p>If your kernel does not contain transparent proxy support you need to 
recompile your kernel with the following options. Recompling your linux 
kernel is beyond the scope of this document. You can find many tutorials 
on the subject online. After rebuilding and installing your new kernel 
make sure to reboot.</p>

<pre>
* Under General Setup
    o Networking support
    o Sysctl support
* Under Networking Options
    o Network packet filtering
    o TCP/IP networking
    o Fast switching: *NO*
* Under Networking Options -> IP: Netfilter Configuration
    o Connection tracking
    o IP tables support
    o Full NAT
    o REDIRECT target support
* Under File Systems
    o /proc filesystem support 
</pre>

<p>Make sure IP forwarding (routing) is turned on. It probably already is
as transparent proxying happens on a router.</p>

<p>Run the following command and add it to your boot scripts. Make sure to 
substitute your NIC name in the command below:</p>

<pre># iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 10025</pre>

<h6>Copyright 2002, N. Nielsen&nbsp;&nbsp;&nbsp;[ <a href="./">clamsmtp</a> | 
<a href="../../">home page</a> ]</h6>

</body>
</html>